Scholarly article on topic 'ALARP (A Railway Automatic Track Warning System Based on Distributed Personal Mobile Terminals)'

ALARP (A Railway Automatic Track Warning System Based on Distributed Personal Mobile Terminals) Academic research paper on "Materials engineering"

Share paper
OECD Field of science
{ALARP / railway / safety / ATWS / "track warning system" / SIL}

Abstract of research paper on Materials engineering, author of scientific article — Antonio Andrea Seminatore, Luca Ghelardoni, Andrea Ceccarelli, Lorenzo Falai, Michael Schultheis, et al.

Abstract The ALARP (A railway automatic track warning system based on distributed personal mobile terminals) project has the aim to study, design and implement an innovative more efficient Automated Track Warning Systems with the intent of overcome the limits of current state-of-the-art solutions. The ALARP system provides a solution which is low cost, non-invasive, easy to install and totally independent from the existing signaling. It is responsible of advising workers of a train approaching and has the functionality of localizing the workers inside the worksite and of guiding them to a safe area.

Academic research paper on topic "ALARP (A Railway Automatic Track Warning System Based on Distributed Personal Mobile Terminals)"

Available online at

SciVerse ScienceDirect PfOCSCl ¡0

Social and Behavioral Sciences

Procedia - Social and Behavioral Sciences 48 (2012) 2081 - 2090

Transport Research Arena- Europe 2012

ALARP (A Railway Automatic Track Warning System Based on Distributed Personal Mobile Terminals)

Antonio Andrea Seminatorea'*9 Luca Ghelardonia, Andrea Ceccarellib9 Lorenzo Falaic, Michael Schultheisd9 Boris Malinowskye

"Ansaldo STS, Via Paolo Mantovani 3-5, 16151, Genova, Italy b Department of Systems and Informatics, University ofFirenze, Viale Morgagni 65, 50134, Firenze, Italy

cResiltech, Piazza Iotti, 25, 56025, Pontedera (PI), Italy dInstitute of Ergonomics, Technical University ofDarmstadt, Petersenstr. 30, 64287, Darmstadt, Germany eFTWForschungszentrum Telekommunikation Wien GmbH, Donau-City-Straße 1, A-1220 Vienna, Austria


The ALARP (A railway automatic track warning system based on distributed personal mobile terminals) project has the aim to study, design and implement an innovative more efficient Automated Track Warning Systems with the intent of overcome the limits of current state-of-the-art solutions. The ALARP system provides a solution which is low cost, non-invasive, easy to install and totally independent from the existing signaling. It is responsible of advising workers of a train approaching and has the functionality of localizing the workers inside the worksite and of guiding them to a safe area.

©22012 Published by Elsevier Ltd. Selection and/or peer review under responsibility of the Programme Committee of the T ransport Research Arena 2012

Keywords: ALARP; railway; safety; ATWS; track warning system; SIL

1. Introduction (ASTS + all)

Safety of workers is a serious concern of the most industrialized countries. Surface transport workers are facing very high risks since they often operate without service interruptions. In railway situation is even more peculiar, since vehicles are constrained to tracks and therefore drivers have much less margins to react in case of emergencies and therefore workers are much more exposed to injuries and fatalities. The objective of the ALARP (A railway automatic track warning system based on distributed personal

* Corresponding author. E-mail address',


1877-0428 © 2012 Published by Elsevier Ltd. Selection and/or peer review under responsibility of the Programme Committee of the Transport Research Arena 2012


mobile terminals, [2]) EU FP7 project is therefore to study, design and develop an innovative more efficient Automatic Track Warning System (ATWS) to improve the safety of railway trackside workers.

Some existing ATWS have been tested in recent years but the following intrinsic problems have hindered a widespread use of these devices: i) they are expensive; ii) systems are complex to install and use; iii) they rely on existing signalling systems and therefore not usable in scarce traffic lines without signalling. Furthermore, their training time is consuming and complex.

ALART ATWS intends to overcome these defects by proposing a new approach with the following characteristics:

• selectively inform the trackside workers about approaching trains on the track, maintenance events on power lines and/or safety equipment in the concerned tracks that may put at risk workers' safety (e.g. being hit by a train or by an electric shock), emergencies on tracks and tunnels nearby the workers (e.g. fires in a tunnel, toxic smoke, etc.), escape routes in case of emergencies;

• being a personalised solution it offers an higher testability and the possibility to give advice/directions to the workers to reach safe areas;

• keep track of the status and localisation of the workers (and especially those at risk, not responding) and of the operating conditions of devices.

• it is completely independent from a signalling system, making it usable on any type of railway, including scarce traffic and regional lines;

• it offers the possibility to include a wider range of alarm causes including images and messages of what caused the alarm (thus increasing the testability of the system);

• it does not depend on a centralised control room and each Mobile Terminal can assume the leader role thus increasing dependability and availability.

The proposed ALARP concept will be based on the following main components:

• one or more track-side Train Presence Alert Devices (TPADs), able to sense an approaching train on the interested track without interfering with the signalling system; TPADs are autonomous, self-powered alerting system that will serve a virtual gate and will deliver an alarm to all the people within the relevant site

• a set of distributed, low-cost, wearable, context-aware, robust, testable and highly reliable, wireless Mobile Terminals (MTs) to inform the workers about possible approaching trains and/or other events that could put at risk their safety.

This paper describes the ALARP system and its components. In particular, Chapter 2 contains a general overview of the ALARP system, including the system state diagram and the description of each single state. Chapter 3 reports a general description of the Mobile Terminal, while in Chapter 4, a description of the TPAD is present, reporting its main characteristics and functionalities. The communication solution exploited in the ALARP system are described in Chapter 5. Here, also the localization solution adopted, based on the exploitation of DGPS (Differential Global Positioning System) is present. Chapter 6 is dedicated to the approach adopted for the validation and certifiability of the system. Finally, in the last chapter the conclusion of the work done are drawn.

2. Requirements and Overview (ASTS + all)

The ALARP system is designed to protect working gangs along train lines providing ALERTS or WARNINGS related to approaching trains and/or on-track plants in order to improve safety by supporting (or replacing) human lookouts.

When workers lives are at risk an ALERT signal is sent to give them at least enough time to reach a safe position, according to the national regulations, otherwise WARNING signals are sent only to raise their attention.

Fig. 1 depicts the ALARP overall architecture which is based on the following components (described in details in the following of this paper): Train Presence Alert Devices (TPADs), Mobile Terminals (MTs), a Base Station (BS), which is used for communication/bridging purposes, and finally, for similar reasons, Optional Devices (OD) may be required depending on the dimension of the worksite and the surrounding environment.

Fig. 1. ALARP Architecture

As shown in Fig. 2, the system can be described by a graph, characterized by the following states: Worksite Planning, Set-Up and Calibration, Operation, Risk Event, Safe State, Dismantling.

Fig. 2. ALARP state diagram

The Worksite Planning state allows to define a set of parameters such as, for example, the number of TP AD detectors and where to position them, the number of MTs receivers, the number of all the optional devices needed and the worksite boundaries. In the ALARP context, a worksite is an area on the railway on or close to a track were workers are acting.

Worksite internal configuration is still the same, typically the working gang works in the 'under possession' condition or not: a track is considered to be 'under possession' when arrangements have been carried out to block the line completely to the normal passage of trains. The only movements allowed within a possession are on-track plants.

The boundaries definition allows to implement the electronic fences functionality and also allows to define two different zone: the Red zone and the Green zone.

Red (Risk) zone is defined as a worksite on the track which is not protected from rolling stock movements or, alternatively, a worksite near this track at a distance from the line of less than the safe working limit.

Otherwise it could be a worksite on the track under possession within which only movements of on-track plants are possible or, as in the previous case, a worksite near this track at a distance from the line of less than the safe working limit.

Green (Safe) zone instead is the safe area outside of the limits of the Red Zone working or a worksite on the track within which there are no rolling stock movements or near the track within which there are rolling stock movements.

Setup and Calibration state consists into TPADs set placement into the positions defined during the worksite planning. The placement of this fixed installation is followed by MTs switching on. The worker in charge of the site safety, using a MT and working in a safe condition, will check all TPADs. The last step is the check of basic functions of the system: communication between MTs and TPADs, communication between MTs, localisation functionality.

The Operation state can ensure continuously safety for workers staying within the site boundaries. The system can return to the Set-Up and Calibration if there is a change of the environmental conditions. When a risk is detected by TP AD or by other detectors the system change to Risk Event state and will return in Operation state when all Risk Events are manually or automatically reset.

In Risk Event state workers both the severity level of the detected rolling stocks and the position of worker MTs has to be taken into account in order to deliver a right warning or alert signal.

The system enter in Safe State when a fault occurs, since the system can't ensure safety for workers, each MT shows him owner an ALERT message in order to allow him to reach a safety position. A fault occurs when at least one of the basic system function is no longer guarantee. From this state the system return to Set-up and Calibration state in order to restore the system.

The system enter in Dismantling state when the site safety responsible decides the closure of the worksite and the system is into Operation state, all workers must reach the safe position and then it is possible to dismantle the ALARP equipment.

3. Mobile Terminal (MT) (UNIFI + TUD)

The main functionalities of the MTs are: i) to provide to the workers information on alarms and warnings on approaching trains, events that could put at risk their safety, the end of every single alarm/warning; ii) to support communication between the members of the working group; iii) to support the role of the COSS by using a specific interface; iv) to automatically verily the health of the workers and alert, if necessary, the rest of the group; v) to check if the neighbor MTs are getting the right alarm signal, and if not notify it to the COSS. The MT shall be a safe component (at least SIL 2 according to CENELEC railway standards) and, to keep costs low, it shall be based on COTS components.

The approach for the MT architecture is based on the hybrid distributed system model [5], in which the MT has been separated in two different systems with different sets of properties and that can rely on different sets of assumptions, namely in terms of security and timeliness. The MT architecture is organized in two subsystems, a wormhole subsystem and a payload subsystem (Fig. 1).

The wormhole is intended to execute on a very basic hardware, that ease monitoring and assessing its behaviour. The payload instead executes on a different hardware than the wormhole. The payload requires several hardware devices, and especially I/O devices to interact with the workers and network devices to communicate to the Train Presence Alert Devices (TPADs) and the other MTs.

In the wormhole, simple but critical services reside (Fig. 1). The services identified are the following middleware services: i) time-related services (the resilient clock Reliabile and Self-Aware Clock R&SAClock [6], that estimates time uncertainty and provides trusted time values, and a clock synchronization mechanism), and ii) a privacy and authentication service (it stores the private key of the worker, which allows signing the messages that are sent to provide authentication and non-repudiability). Such services are located in the wormhole because they require stronger (with respect to the rest of the system) assumptions on timeliness and security. Payload processes uses the wormhole services through the wormhole gateway. The payload processes do not need to know how wormholes are implemented, and vice-versa. This model ensures a clear separation of concerns between the properties offered by wormholes and their construction, and between the executions on either side of the wormhole gateway.

The software of the payload subsystem is instead structured in the three layers (Fig. 1): application layer, management middleware and communication layer. Note that the ergonomics is not explicitly addressed in Fig. 1, although very relevant for the MT scope and usage (see below).

The Application layer contains all the functional applications required by the MT subsystem (e.g., train approaching signalling, biometric monitoring, mapping, showing information to the users). The MT application layer has three main operational modes, or states: active (the MT is active and normally working), alert (an MT enters in this state if receives an ALERT event), and warning (an MT enters this state when it receives a WARNING event). The two macro-components identified in this layer are the localization component (described in Section 4) and the Application Logic (AL), described below.

Main components of the AL are the Event Manager, Mapping Manager, Alert Manager, Evacuation Manager, Warning Manager, Fault Manager and Input Sensors Manager. The Event Manager acts as a filter which receives messages coming from other layers, and passes them to the relevant modules of the Application logic. The Mapping Manager transforms outputs of localization into information to be used. The Alert Manager manages ALERT, activates output signals, and commands the Evacuation manager, which uses information from localization and from the Mapping Manager to guide the workers in a safe position. The Warning Manager receives WARNING events and activates the corresponding output signal(s) through the HMI. The Fault Manager informs the worker of events generated due to insufficient QoS (Quality of Service) or failures and the Input Sensors Manager interfaces directly with the (driver of the) input sensors to generate events to be passed to the Event Manager.

The Management middleware provides facilities to the other layers, implements services for resilient MT execution, and hides to the other layers the presence of two different subsystems: wormhole and payload. The management middleware has six operational modes, or states. In Start-Up state the initialization procedure and testing activities of all interfaces are performed. In Nominal state the MT is fully functional, in Low Power state the MT has low power autonomy and it provides a subset of its functionalities in order to save batteries, and in Degraded state the MT provides reduced functionalities due to lack of information as poor clock synchronization, large uncertainties in localization, or failures of non safety-related hardware. Finally, Safe State is entered when a malfunction is detected: the MT signals to the worker that it is not able to guarantee its safety properties anymore and halts its services.

The services of the management middleware are mainly monitoring and fault tolerance mechanisms that provide the required SIL of the MT, and are the following. The Execution monitor supervises the execution of the various sw components: it handles the activation and deactivation of threads and functions, and it monitors the execution of MT software. The Detection & testing performs software tests and checks on the MT. The QoS monitor provide to the other layers information on i) the battery power status (it also notifies when battery power is low), ii) the quality of local clock (synchronization uncertainty), achieved querying the wormhole service R&SAClock, and iii) the localization uncertainty. The Interface manager allows communicating with the communication layer and the application layer, and provides interfaces to the hw drivers. The Privacy manager manages public keys of the other components of the system and executes algorithms for message deciphering and signature verification.

The Communication layer provides the communication functionalities of the MTs towards TPAD and other MTs. It is detailed in Chapter 4.

Regarding I /0 devices and ergonomics solutions, the MT will contain a human-machine interface with two functions: the first is to inform the user on approaching trains or events that could put at risk his safety. The second function allows to give a quick feedback on incoming ALARM/WARNING signals. This interface has a simple structured layout with large control-buttons and a display to receive signals and fast user interactions in situations with high risks. The visual signals will have intuitive colors - "red" for ALERT, "orange" for WARNING and "green" for everything is ok, as usually apply in ergonomics. The intuitive colors for signals allow the user quick understanding and prevent him from information overload.

The ALERT/WARNING signals are transmitted over the visual and acoustic human channel. Signals are designed according ergonomic principles for each channel. Visual signals are displayed using intuitive icons. These will be combined with acoustic signals, which will have a frequencies between 250 -1000 Hz for the best suitable understanding.

Fig. 3. Overall view of the MT architecture

4. Train Presence Alter Device (TPAD)

One of the main components of the ALARP system is the TPAD. The TPAD is designed to be an autonomous, self-powered approaching train alerting system that serves as virtual gate and delivers an alarm to all the people within the relevant working site through a dedicated communication channel. It is imminent that the virtual gate needs to be located at a certain distance from the worksite, so that to

provide the personal in the relevant working site sufficient time to evacuate the area, even in case of an high speed railway.

From the functional point of view, the TPAD is composed by the following main blocks:

• Block I (Low power) is designed to trigger the TPAD from a "ready state" (e.g. hibernate) to a full functionality, due to a train detection (hence, Triggered State). The triggering is performed by a sub-block which will consist of two sensors typologies for the train detection: a geophone and an accelerometer. Also the communication layer is managed in this block. The main characteristic of this block is that, due to the fact the "ready state" is a continuous state, it is low power designed: Block I consumes less power as possible during the "ready state".

• Block II (High power) consists of additional sensors (both geophone and accelerometer) which also detect the train and enable the TPAD to satisfy the required train detection and safety level. This block may work in higher power consumption levels as it will only work per triggered event. The triggered event comes from Block I.

In general, Block I is "extra sensitive" (using very high gain detectors circuits) enabling a high probability of detection (POD), a low Tolerable Hazard Rate (THR), accordingly with the Safety Integrity Level SIL 2 specifications [1], [2] , but also having a mid to high False Alarm Rate (FAR). On the other hand Block II as another layer of detection input will have a mid to high POD and a low to none FAR. On the whole, the combination of both blocks detection inputs shall result in a TPAD with a very high POD, low THR (SIL 2) and a very low (to none) FAR.

5. Communication layer (Localization and Communication) (FTW)

The design objective of the communication layer is to enable resilient wireless communication and self-localization in the ALARP system. The ALARP communication layer is defined for TPADs, MTs, and worker geo-localization equipment at the worksite (Anchor Node and Electronic Fences). The design utilizes low cost off-the-shelf equipment for communication and localization.

5.1. CommunicationSolution

The overall communication architecture [7] may follow either a centralized or a decentralized communication setup. The initial design focus is the centralized setup, due to better predictability of the communication timing and simplified realization of synchronous communication channels at the worksite. This setup is primarily based on a fixed coordinator located at the worksite, with all MTs communicating via the coordinator (see E^aX^a! To ap/rio rcpoéXEuerçç -rrçç ava^opâç ôev PpéOrçKE.). The deployed timed reliable wireless communication protocol is using the coordinator to implement its centralized communication algorithm and maintain allocation of necessary communication resources.

Communication links between TPAD and the worksite might be enhanced by helper infrastructure in form of additional relay nodes (or repeaters) at the transmission path. At the worksite, TPAD information is disseminated to MTs via a TPAD Hub, the worksite-local endpoint for TPAD communication.

The communication layer targets a multi-interface communication approach, enabling the use of heterogeneous communication technologies for ALARP communication, and also to exploit technology-specific advantages. In the first development stage, the selected technology for TPAD to worksite communication consists of 868 MHz band technology for Short Range Devices (SRD) communication. Worksite communication uses IEEE 802.1 lb/g/e communication, with future enhancements integrating 802.1 In features. The proposed third technology is cellular, e.g., GPRS/UMTS, to enhance the

centralized architecture, providing additional long distance links to the TPADs, and making worksite communication less dependent on a fixed coordinator.

The Communication Layer defines four communication states for execution. Besides a Configuration State for initialization procedures and configuration by upper layers, and the Normal State, in which all nominal communication tasks are performed, two additional states target specific communication conditions in the ALARP system. A defined Degraded State maintains only a minimum set of communication functionality for high-priority safety-critical communication during severely degraded communication scenarios. An Energy Conserving State settles for a subset of Normal State communication functionality to minimize the overall communication layer energy consumption.

The overall communication solution maintains the communication layer in a known communication state, adheres to safety requirements, and timely decides on missing nodes as well as nodes deviating from the expected operation behavior, enforcing communication timeouts. The process of sending and delivering a message is bounded by a maximum time delay requirement.

The communication protocol shall allow the communication layer to reliably distribute messages. It offers broadcast (distribution to all nodes), multicast (one-to-many communication), and unicast (message exchange between two dedicated nodes) communication primitives. The reliability requirement is defined to match three different message criticalities, coming with a specific resilience degree for messages and probability of message delivery. For this, the communication layer offers the three criticality levels high for system safety-critical messages, medium for messages affecting system availability, and low for messages with no special requirements.

The Real-time Group Communication Protocol [8] forms the basis of the worksite communication protocol. It relies on IEEE 802.11 and a worksite coordinator (Access Point) using for realizing a polling scheme of the MTs in a round-based fashion using Time Division Multiple Access (TDMA), allocating node slots via time multiplexing.

In the safety-critical context of the ALARP system, no need for all ALARP nodes to reach agreement about message delivery is necessary, nor is enforcing a system-global message order (total order property). The Communication Layer will detect duplicated messages, ensure a sent message is delivered only once to the management middleware, and maintain FIFO message order between sender and receiver. This is realized by using unique node IDs and message sequence numbers. However, a message may not be delivered to all correct nodes; moreover, a node might start to process a message as soon as it was received. For message exchange, an authentication mechanism will be provided on a node basis, accessible through the management middleware, to allow message authentication.

5.2. Localization Solution

The localization design is deploying an ALARP specific differential GPS (DGPS) system and the use of Electronic Fences. The presented solution is primarily for outdoor localization at a worksite, since heavily relying on GPS information.

The primary localization equipment proposed in [4] consists on an Anchor Node in the form of a Reference Station (RS) with a DGPS receiver, providing a reference to establish a worksite-local coordinate system and broadcasting GPS and DGPS corrections to MTs. The RS is a simplified MT-like node, consisting of communication and positioning components, to which its position is well known. Although the current research focus is on a single RS, scaling the amount of references stations is possible.

Electronic Fences located in the worksite improve localization estimates in certain areas. Because ALARP should localize workers within the worksite with a precision of up to 10 cm in the longitude and latitude coordinate estimation, fences are an important mechanism in the overall combination of accurate

algorithms for self-localization. Fences enable detection of a worker on a straight line between two fence endpoints to determine when a worker crossed the fence boundary. Breached fences trigger specific verification activity of MTs in the fence's vicinity, whether the MT is on either side of the fence. Equally to other equipment, fences communicate wireless. Fence information is aggregated in a special virtual MT (performing similar to a TPAD Hub), and from there distributed by the default worksite communication mechanism.

Besides GPS, additional localization methods, e.g., inertial sensors and cooperative methods like internode ranging might be available to an MT. Each MT contains the corresponding processing modules to read position estimates and position error information. Data fusion is used to calculate final MT position and error estimates. Hence, even in the event of degraded communication, an MT will provide some localization capabilities.

6. Validation and Certifiability (RT)

ALARP has to operate in a context, like the railway one, in which the safety guarantees are extremely high and in which the safety must be demonstrated and certified following standards specific for the railway domain. Since ALARP system has a direct impact on the safety of the workers such standards have to be applied to the system in order to usable in real contexts. For this reason, the entire ALARP system was designed, beginning from the preliminary design phase, taking into consideration the typical steps and activities that characterize a certification process in the railway domain.

During the first year of the project, a Verification and Validation (and Safety) Plan was produced as project deliverable. In this document we indicated the verification and validation activities, and the safety management issues, planned in order to obtain a certifiable system. CENELEC standards was taken as reference for the future certification of the system, and the safety target for the system was decided to be Safety Integrity Level of 2 (possibly SIL 3) with respect to CENELEC 50129 [2]. Clearly the final objective in terms of certification in the ALARP project was not to obtain a certified final product, since ALARP is a pre-competitive research project; the idea was to design the system and to begin its development in order to obtain a possible future product that will be certifiable with a small effort, since the main problems related to safety was already took into account and some solutions adopted (e.g. the system architecture was decided depending on the related safety issues).

In the Verification and Validation (and Safety) Plan we assigned to the partners of the consortium several goals, associating them to the different project deliverable, of a typical Verification and Validation and Safety process with respect to CENELEC standards:

• Preliminary Hazard Analysis and Risk Assessment, using which we were able to identify additional safety requirements, as requiredby EN50129 [2]

• Software development requirements, from EN50128 [9]

• Testing activities, both on single components, on prototypes and system testing

• Verification of requirements on communication in open environments, from EN50159-2 [2]

• Verification of fulfillment of the safety target, in particular using quantitative modeling and evaluation, as fromEN50129 [2]

In the second year of the project, the consortium started the development of the prototype, an overall testing plan was developed and the testing activity started.

By the end of the project, we expect to be performed a complete testing of the system prototype and we planned to write a final document (as a project deliverable) containing the state of the verification and validation and safety activities developed in the project, identifying the problems incurred during the ALARP design and prototype development, what we were able to solve during the research project and

what remains as "open points" for the implementation of the results of the research project in a real possible future product for the railway market.

7. Conclusions (ASTS + all)

In conclusion, this paper presents the ALARP system, an innovative ATWS designed for overcoming the limits of state-of-the-art devices for the safety in railways working site. The ALARP system aims to be classified at least as SIL 2 according to the railway standards [2], [3], [9].

The system is mainly composed by two kind of devices:

• The TPAD, which is responsible of the approaching train detection and of the communication of the train presence alert to the worksite

• The MT, a wearable device (used by the railway workers) which implements notifications, communication and localization solutions in order to receive alerts messages from the TPAD and to guide the workers to a safe area.

This last functionality is implemented by exploiting differential GPS technologies and the hybridization of the information coming from the GPS with those are coming from the electronic fences or other additional devices. This approach allows to reduce the localization error and, consequently, to obtain an high precision degree.

Also, a solution for real-time and realiable communication is required to guarantee timely notifications of relevant events (and in particular, safety-critical events as ALARMs) to workers.

The ergonomic aspects of the MT have been achieved conform with human-centred design process (ISO 9241-210:2010) [10]. That means the MT has small, ergonomic design to be wearable without interfering with the worker's job, is able to generate ALARM/WARNING signals perceivable in harsh conditions (e.g. high noise, low light, etc) and has an intuitive interface easy for different users.


[1] IEC/TR 61508 "Functional safety of electrical/electronic/programmable electronic safety-related systems.

[2] CENELEC EN 50129, "Railway applications - Communication, signaling and processing systems - Safety related electronic systems for signaling".

[3] CENELEC EN 50126, "The specification and demonstration of Reliability, Availability, Maintainability and Safety (RAMS)".

[4] ALARP Consortium (2001). D3.2 - Preliminary MT Design, Technical Report.

[5] Verissimo, P. (2006). Travelling through wormholes: a new look at distributed systems models. SIGACT News 37, 1, 66-81.

[6] Bondavalli, A. & Brancati, F. & Ceccarelli, A. (2009). Safe estimation of time uncertainty of local clocks. In Proc. of IEEE ISPCS 2009 (pp. 47-52), 2009.

[7] ALARP Consortium (2011). D2.2 - Resilient wireless communication architecture, Technical Report.

[8] Mock, M., Nett, E., & Schemmer, S. (1999). Efficient Reliable Real-Time Group Communication for Wireless Local Area Networks. EDCC-3, LNCS 1667, 380-397

[9] CENELEC EN 50128, "Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems".

[10] ALARP - A railway automatic track warning system based on distributed personal mobile terminals - FP7-IST-2010-234088